FASTJSON Remote Code Execution Vulnerability
Alibaba has issued a Fastjson risk notice remote code execution vulnerability which affects versions 1.2.80 and below. The default autoType closure restriction can be bypassed under certain conditions. An attacker could exploit this vulnerability to achieve remote code execution on the target machine.
Fastjson is a Java library that can be used to convert Java Objects into their JSON representation. It can also be used to convert a JSON string to an equivalent Java object. Fastjson can work with arbitrary Java objects including pre-existing objects that you do not have source-code of.
The CVE for the FASTJSON remote code execution vulnerability is not yet available.
Affected version
- Fastjson ≤ 1.2.80
Unaffected version
- Fastjson 1.2.83
Solution
In this regard, we recommend that users upgrade Fastjson to the latest version in time.
Temporary protective measures
If the user is temporarily unable to perform the upgrade operation, the following methods can also be used for mitigation:
As the limitation of the autotype switch can be bypassed, affected users are requested to upgrade fastjson to version 1.2.68 and above, and disable autotype completely by enabling the safeMode configuration. The three ways to configure SafeMode are as follows:
-
Configure in code:
ParserConfig.getGlobalInstance().setSafeMode(true); - Use JVM startup parameters
-Dfastjson.parser.safeMode=true - Configure through the properties file
fastjson.parser.safeMode=true
